Tweaking Even-Mansour Ciphers

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion

Benoît Cogliati1 Rodolphe Lampe1 Yannick Seurin2

1Versailles University, France

2ANSSI, France

August 17, 2015 — CRYPTO 2015

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 1 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline

Background: Tweakable Block Ciphers

Our Contribution

Overview of the Proof for Two Rounds

Longer Cascades

Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 2 / 26 t

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k

x Ee y

• tweak t: brings variability to the block cipher • t assumed public or even adversarially controlled • each tweak should give an “independent” permutation • few “natively tweakable” BCs: • Hasty Pudding Cipher [Sch98] • Mercy [Cro00] • Threeﬁsh [FLS+10] • CAESAR proposals KIASU, Deoxys, Joltik, (i)SCREAM, Minalpher

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k

x Ee y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k

x Ee y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k

x Ee y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Block Ciphers (TBCs) k

x Ee y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 3 / 26 hk0 (t) hk0 (t)

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs

• A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

x E y

0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (ﬁeld mult.) • secure up to ∼ 2n/2 queries

• related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 hk0 (t) hk0 (t)

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs

• A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

x E y

0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (ﬁeld mult.) • secure up to ∼ 2n/2 queries

• related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs

• A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

hk0 (t) k hk0 (t)

x E y

0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (ﬁeld mult.) • secure up to ∼ 2n/2 queries

• related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs

• A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

hk0 (t) k hk0 (t)

x E y

0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (ﬁeld mult.) • secure up to ∼ 2n/2 queries

• related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Generic Constructions of TBCs

• A generic TBC construction turns a conventional block cipher E into a TBC Ee • example: LRW construction by Liskov et al. [LRW02]

hk0 (t) k hk0 (t)

x E y

0 • h is XOR-universal, e.g. hk0 (t) = k ⊗ t (ﬁeld mult.) • secure up to ∼ 2n/2 queries

• related construction XEX [Rog04] uses Ek (t) instead of hk0 (t) (used e.g. in the XTS disk encryption mode)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 4 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction

0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t

x Ek1 Ek2 Ekr y

0 0 • k1,..., kr and k1,..., kr independent keys ⇒ total key-length = r(κ + n) • 2 rounds: provably secure up to ∼ 22n/3 queries [LST12] rn • r rounds, r even: provably secure up to ∼ 2 r+2 queries [LS13] • NB: only assuming E is a PRP (standard security notion, no ideal model)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction

0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t

x Ek1 Ek2 Ekr y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction

0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t

x Ek1 Ek2 Ekr y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the LRW Construction

0 0 0 k1 ⊗ t k2 ⊗ t kr ⊗ t

x Ek1 Ek2 Ekr y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 5 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline

Background: Tweakable Block Ciphers

Our Contribution

Overview of the Proof for Two Rounds

Longer Cascades

Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 6 / 26 ( , t)

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Even-Mansour Constructions Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+07, MI08] • this work: SPN ciphers (more gen. key-alternating ciphers)

f0 f1 fr

x P1 P2 Pr y

• analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 ( , t)

f0 f1 fr

x P1 P2 Pr y

• analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 ( , t)

f0 f1 fr

x P1 P2 Pr y

• analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 ( , t)

f0 f1 fr

x P1 P2 Pr y

• analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 ( , t)

f0 f1 fr

x P1 P2 Pr y

• analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Tweakable Even-Mansour Constructions Our Goal Provide provable security guidelines to design TBCs “from scratch” (rather than from an existing conventional block cipher). • “from scratch” → from some lower level primitive • from a PRF: Feistel schemes [GHL+07, MI08] • this work: SPN ciphers (more gen. key-alternating ciphers)

(k, t)

f0 f1 fr

x P1 P2 Pr y

• analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s)

(k, t)

f0 f1 fr

x P1 P2 Pr y

• analysis in the Random Permutation Model ⇒ “tweakable” Even-Mansour construction(s)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 7 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The Random Permutation Model (RPM)

(k, t)

f0 f1 fr

y x P1 P2 Pr P1 ··· Pr

qc qp qp

• the Pi ’s are modeled as public random permutation oracles (adversary can only make black-box queries) • adversary cannot exploit any weakness of the Pi ’s ⇒ generic attacks • complexity measure of the adversary: • qc = # construction queries = pt/ct pairs (data D) • qp = # queries to each internal permutation oracle (time T ) • but otherwise computationally unbounded • ⇒ information-theoretic proof of security

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The Random Permutation Model (RPM)

(k, t)

f0 f1 fr

y x P1 P2 Pr P1 ··· Pr

qc qp qp

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The Random Permutation Model (RPM)

(k, t)

f0 f1 fr

y x P1 P2 Pr P1 ··· Pr

qc qp qp

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The Random Permutation Model (RPM)

(k, t)

f0 f1 fr

y x P1 P2 Pr P1 ··· Pr

qc qp qp

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 8 / 26 Question How can we obtain a construction with security beyond the birthday-bound?

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Previous Result

k⊕t k⊕t k⊕t k⊕t

x P1 P2 P3 y

• provably secure in the RPM up to ∼ 2n/2 queries [CS15, FP15] • can be written Ee(k, t, x) = E(k⊕t, x) where E is the conventional 3-round EM cipher with trivial key-schedule • ⇒ secure up to 2n/2 queries at best by a simple collision attack

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26 Question How can we obtain a construction with security beyond the birthday-bound?

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Previous Result

k⊕t k⊕t k⊕t k⊕t

x P1 P2 P3 y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26 Question How can we obtain a construction with security beyond the birthday-bound?

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Previous Result

k⊕t k⊕t k⊕t k⊕t

x P1 P2 P3 y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Previous Result

k⊕t k⊕t k⊕t k⊕t

x P1 P2 P3 y

Question How can we obtain a construction with security beyond the birthday-bound?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 9 / 26 k0 k0 (1-round) Tweakable Even-MansourP (TEM) construction

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction

k ⊗ t k0 k ⊗ t

x E y

• provably secure in the RPM up to ∼ 2n/2 queries:

q2 2q q Adv(q , q ) ≤ c + c p . c p 2n 2n • t 6= 0 ⇒ k0 is superﬂuous (k ⊗ t unif. random for any t 6= 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26 (1-round) Tweakable Even-Mansour (TEM) construction

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction

k0 k0 P

k ⊗ t k0 k ⊗ t

x E y

• provably secure in the RPM up to ∼ 2n/2 queries:

q2 2q q Adv(q , q ) ≤ c + c p . c p 2n 2n • t 6= 0 ⇒ k0 is superﬂuous (k ⊗ t unif. random for any t 6= 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26 k0 k0 (1-round) Tweakable Even-MansourP (TEM) construction

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction

(k ⊗ t) ⊕ k0 (k ⊗ t) ⊕ k0

x P y

• provably secure in the RPM up to ∼ 2n/2 queries:

q2 2q q Adv(q , q ) ≤ c + c p . c p 2n 2n • t 6= 0 ⇒ k0 is superﬂuous (k ⊗ t unif. random for any t 6= 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26 k0 k0 (1-round) Tweakable Even-MansourP (TEM) construction

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction

(k ⊗ t) ⊕ k0 (k ⊗ t) ⊕ k0

x P y

• provably secure in the RPM up to ∼ 2n/2 queries:

q2 2q q Adv(q , q ) ≤ c + c p . c p 2n 2n • t 6= 0 ⇒ k0 is superﬂuous (k ⊗ t unif. random for any t 6= 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26 k0 k0 (1-round) Tweakable Even-MansourP (TEM) construction

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction

k ⊗ t k ⊗ t

x P y

• provably secure in the RPM up to ∼ 2n/2 queries:

q2 2q q Adv(q , q ) ≤ c + c p . c p 2n 2n • t 6= 0 ⇒ k0 is superﬂuous (k ⊗ t unif. random for any t 6= 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26 k0 k0 P

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Back to LRW • instantiate E with the 1-round Even-Mansour construction

(1-round) Tweakable Even-Mansour (TEM) construction

k ⊗ t k ⊗ t

x P y

• provably secure in the RPM up to ∼ 2n/2 queries:

q2 2q q Adv(q , q ) ≤ c + c p . c p 2n 2n • t 6= 0 ⇒ k0 is superﬂuous (k ⊗ t unif. random for any t 6= 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 10 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the TEM Construction

• k1, k2 independent n-bit keys

k1 ⊗ t k2 ⊗ t

x P1 P2 y

• our main result: secure up to ∼ 22n/3 queries in the RPM: √ 34q3/2 30 q q Adv(q , q ) ≤ c + c p . c p 2n 2n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 11 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Cascading the TEM Construction

• k1, k2 independent n-bit keys

k1 ⊗ t k2 ⊗ t

x P1 P2 y

• our main result: secure up to ∼ 22n/3 queries in the RPM: √ 34q3/2 30 q q Adv(q , q ) ≤ c + c p . c p 2n 2n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 11 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline

Background: Tweakable Block Ciphers

Our Contribution

Overview of the Proof for Two Rounds

Longer Cascades

Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 12 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Formalization of the Security Experiment

Real world Ideal world

k1 ⊗ t k2 ⊗ t kr ⊗ t

y x P1 P2 Pr P1,..., Pr Pe0 P1,..., Pr

qc qp qc qp

0/1 0/1

• real world: TEM construction with random keys k1,..., kr

• ideal world: random tweakable permutation Pe0 independent from P1,..., Pr

• RPM: D has oracle access to P1,..., Pr in both worlds

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 13 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Formalization of the Security Experiment

Real world Ideal world

k1 ⊗ t k2 ⊗ t kr ⊗ t

y x P1 P2 Pr P1,..., Pr Pe0 P1,..., Pr

qc qp qc qp

0/1 0/1

• real world: TEM construction with random keys k1,..., kr

• ideal world: random tweakable permutation Pe0 independent from P1,..., Pr

• RPM: D has oracle access to P1,..., Pr in both worlds

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 13 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Proof Technique: H-coeﬃcients

Real world Ideal world

k1 ⊗ t k2 ⊗ t kr ⊗ t

y x P1 P2 Pr P1,..., Pr Pe0 P1,..., Pr

qc qp qc qp

1. consider the transcript of all queries of D to the construction and to the inner permutations 2. deﬁne bad transcripts and show that their probability is small (in the ideal world) 3. show that good transcripts are almost as probable in the real and the ideal world

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 14 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Proof Technique: H-coeﬃcients

Real world Ideal world

k1 ⊗ t k2 ⊗ t kr ⊗ t

y x P1 P2 Pr P1,..., Pr Pe0 P1,..., Pr

qc qp qc qp

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 14 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Proof Technique: H-coeﬃcients

Real world Ideal world

k1 ⊗ t k2 ⊗ t kr ⊗ t

y x P1 P2 Pr P1,..., Pr Pe0 P1,..., Pr

qc qp qc qp

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 14 / 26 q q2 (t, x) u1 v1 u2 v2 c p proba ≤ 22n

(t, x) 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 q q2 (t, x) u1 v1 u2 v2 c p proba ≤ 22n

(t, x) 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 q q2 (t, x) u2 v2 c p proba ≤ 22n

(t, x) 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

u1 v1

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 2 (t, x) qcqp proba ≤ 22n

(t, x) 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

u1 v1 u2 v2

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 2 qcqp proba ≤ 22n

(t, x) 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

(t, x) u1 v1 u2 v2

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 (t, x) 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

q q2 (t, x) u1 v1 u2 v2 c p proba ≤ 22n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 (t, x) 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

q q2 (t, x) u1 v1 u2 v2 c p proba ≤ 22n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 2 proba ≤ qc (t0, x 0) 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

q q2 (t, x) u1 v1 u2 v2 c p proba ≤ 22n

(t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 2 qc proba ≤ 22n

Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

q q2 (t, x) u1 v1 u2 v2 c p proba ≤ 22n

(t, x) (t0, x 0)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Bad Transcripts

• one needs to avoid “two-fold” collisions:

k1 ⊗ t k2 ⊗ t

x P1 P2 y

q q2 (t, x) u1 v1 u2 v2 c p proba ≤ 22n

(t, x) 2 proba ≤ qc (t0, x 0) 22n

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 15 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The Ten “Bad Collision” Cases

P1 P2

(t, x) u1 v2 (t, y)

(t, x) u1 v1 u2 v1 u2 v2 (t, y)

(t, x) (t, y) (t0, x 0) (t00, y 00)

(t, x) (t, y) (t0, x 0) (t0, y 0)

(t, x) u1 (t, y) (t, x) v2 (t, y) (t0, y 0) (t0, x 0)

(t, x) u1 v1 u2 v2 (t, y)

0 0 0 0 0 0 0 0 (t , x ) u1 v1 u2 v2 (t , y )

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 16 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Distribution of Good Transcripts

P1 P2 • assuming there are no bad collisions, show that

QU1 Uf2 Vf2 U1 V1 the answers of the TEM construction are close to answers of a random QV2 Uf1 Vf1 U2 V2 tweakable permutation • for each query, there is a “fresh” value of P or U0 V 0 0 0 1 QX 1 1 U2 V2 P2 which randomizes the output

00 00 U00 V 00 QY U1 V1 2 2

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 17 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Distribution of Good Transcripts

P1 P2 • assuming there are no bad collisions, show that

00 00 U00 V 00 QY U1 V1 2 2

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 17 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline

Background: Tweakable Block Ciphers

Our Contribution

Overview of the Proof for Two Rounds

Longer Cascades

Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 18 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Longer Cascades of the TEM Construction

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

• r rounds, r even, with independent keys k1,..., kr secure up to

rn (r/2)n ∼ 2 r+2 = 2 (r/2)+1 queries

• proof: 1. non-adaptive security for r/2 rounds (coupling technique) 2. adaptive security for r rounds (“two weak make one strong” composition theorem) rn • conjecture: secure up to ∼ 2 r+1 queries

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Longer Cascades of the TEM Construction

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

• r rounds, r even, with independent keys k1,..., kr secure up to

rn (r/2)n ∼ 2 r+2 = 2 (r/2)+1 queries

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Longer Cascades of the TEM Construction

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

• r rounds, r even, with independent keys k1,..., kr secure up to

rn (r/2)n ∼ 2 r+2 = 2 (r/2)+1 queries

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Longer Cascades of the TEM Construction

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

• r rounds, r even, with independent keys k1,..., kr secure up to

rn (r/2)n ∼ 2 r+2 = 2 (r/2)+1 queries

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 19 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Outline

Background: Tweakable Block Ciphers

Our Contribution

Overview of the Proof for Two Rounds

Longer Cascades

Conclusion and Perspectives

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 20 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Conclusion

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

• we analyzed the “public permutation” variant of the LRW construction, and proved tight 22n/3-security for 2 rounds • similar security level as LRW, yet in an idealized model rn • open problem 1: prove tight security up to 2 r+1 queries for r ≥ 3 • open problem 2: can we avoid non-linear mixing of the key and the tweak and still get beyond-birthday security?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Conclusion

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Conclusion

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion Conclusion

k1 ⊗ t k2 ⊗ t kr ⊗ t

x P1 P2 Pr y

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 21 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The TWEAKEY Framework

• proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions:

t g g g

k f f f

x P1 P2 Pr y

• suﬃcient conditions on f and g to have provable beyond-birthday security in the RPM? • NB: f = g linear does not work since Ee(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The TWEAKEY Framework

• proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions:

t g g g

k f f f

x P1 P2 Pr y

• suﬃcient conditions on f and g to have provable beyond-birthday security in the RPM? • NB: f = g linear does not work since Ee(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The TWEAKEY Framework

• proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions:

t g g g

k f f f

x P1 P2 Pr y

• suﬃcient conditions on f and g to have provable beyond-birthday security in the RPM? • NB: f = g linear does not work since Ee(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The TWEAKEY Framework

• proposed by Jean, Nikolić, and Peyrin [JNP14] • Superposition TWEAKEY (STK) constructions:

t g g g

k f f f

x P1 P2 Pr y

• suﬃcient conditions on f and g to have provable beyond-birthday security in the RPM? • NB: f = g linear does not work since Ee(k, t, x) = E(k ⊕ t, x)

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 22 / 26 Tweakable Block Ciphers Our Contribution Proof Overview Longer Cascades Conclusion The end. . .

Thanks for your attention!

Comments or questions?

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 23 / 26 References ReferencesI

Paul Crowley. Mercy: A Fast Large Block Cipher for Disk Sector Encryption. In Bruce Schneier, editor, Fast Software Encryption - FSE 2000, volume 1978 of LNCS, pages 49–63. Springer, 2000.

Benoît Cogliati and Yannick Seurin. On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks. In Elisabeth Oswald and Marc Fischlin, editors, Advances in Cryptology - EUROCRYPT 2015 - Proceedings, Part I, volume 9056 of LNCS, pages 584–613. Springer, 2015. Full version available at http://eprint.iacr.org/2015/069.

Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker. The Skein Hash Function Family. SHA3 Submission to NIST (Round 3), 2010.

Pooya Farshim and Gordon Procter. The Related-Key Security of Iterated Even-Mansour Ciphers. In Fast Software Encryption - FSE 2015, 2015. To appear. Full version available at http://eprint.iacr.org/2014/953.

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 24 / 26 References ReferencesII

David Goldenberg, Susan Hohenberger, Moses Liskov, Elizabeth Crump Schwartz, and Hakan Seyalioglu. On Tweaking Luby-Rackoﬀ Blockciphers. In Kaoru Kurosawa, editor, Advances in Cryptology - ASIACRYPT 2007, volume 4833 of LNCS, pages 342–356. Springer, 2007.

Jérémy Jean, Ivica Nikolic, and Thomas Peyrin. Tweaks and Keys for Block Ciphers: The TWEAKEY Framework. In Palash Sarkar and Tetsu Iwata, editors, Advances in Cryptology - ASIACRYPT 2014 - Proceedings, Part II, volume 8874 of LNCS, pages 274–288. Springer, 2014.

Moses Liskov, Ronald L. Rivest, and David Wagner. Tweakable Block Ciphers. In Moti Yung, editor, Advances in Cryptology - CRYPTO 2002, volume 2442 of LNCS, pages 31–46. Springer, 2002.

Rodolphe Lampe and Yannick Seurin. Tweakable Blockciphers with Asymptotically Optimal Security. In Shiho Moriai, editor, Fast Software Encryption - FSE 2013, volume 8424 of LNCS, pages 133–151. Springer, 2013.

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 25 / 26 References ReferencesIII

Will Landecker, Thomas Shrimpton, and R. Seth Terashima. Tweakable Blockciphers with Beyond Birthday-Bound Security. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012, volume 7417 of LNCS, pages 14–30. Springer, 2012. Full version available at http://eprint.iacr.org/2012/450.

Atsushi Mitsuda and Tetsu Iwata. Tweakable Pseudorandom Permutation from Generalized Feistel Structure. In Joonsang Baek, Feng Bao, Kefei Chen, and Xuejia Lai, editors, ProvSec 2008, volume 5324 of LNCS, pages 22–37. Springer, 2008.

Phillip Rogaway. Eﬃcient Instantiations of Tweakable Blockciphers and Reﬁnements to Modes OCB and PMAC. In Pil Joong Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of LNCS, pages 16–31. Springer, 2004.

Richard Schroeppel. The Hasty Pudding Cipher. AES submission to NIST, 1998.

Cogliati, Lampe, Seurin Tweaking Even-Mansour Ciphers CRYPTO 2015 26 / 26